security: move constants to certnames package

This breaks an import dependency cycle.

Release note: None

pkg/acceptance/cluster/BUILD.bazel

@@ -20,6 +20,7 @@ go_library(
         "//pkg/config/zonepb",
         "//pkg/roachpb",
         "//pkg/security",
+        "//pkg/security/certnames",
         "//pkg/security/username",
         "//pkg/util/contextutil",
         "//pkg/util/log",

pkg/acceptance/cluster/certs.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 )
 
@@ -53,27 +54,27 @@ func GenerateCerts(ctx context.Context) func() {
 	maybePanic(os.RemoveAll(certsDir))
 
 	maybePanic(security.CreateCAPair(
-		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
+		certsDir, filepath.Join(certsDir, certnames.EmbeddedCAKey),
 		keyLen, 96*time.Hour, false, false))
 
 	// Root user.
 	// Scope root user to system tenant and tenant ID 5 which is what we use by default for acceptance
 	// tests.
 	userScopes := []roachpb.TenantID{roachpb.SystemTenantID, roachpb.MakeTenantID(5)}
 	maybePanic(security.CreateClientPair(
-		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
+		certsDir, filepath.Join(certsDir, certnames.EmbeddedCAKey),
 		keyLen, 48*time.Hour, false, username.RootUserName(), userScopes, true /* generate pk8 key */))
 
 	// Test user.
 	// Scope test user to system tenant and tenant ID 5 which is what we use by default for acceptance
 	// tests.
 	maybePanic(security.CreateClientPair(
-		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
+		certsDir, filepath.Join(certsDir, certnames.EmbeddedCAKey),
 		keyLen, 48*time.Hour, false, username.TestUserName(), userScopes, true /* generate pk8 key */))
 
 	// Certs for starting a cockroach server. Key size is from cli/cert.go:defaultKeySize.
 	maybePanic(security.CreateNodePair(
-		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
+		certsDir, filepath.Join(certsDir, certnames.EmbeddedCAKey),
 		keyLen, 48*time.Hour, false, []string{"localhost", "cockroach"}))
 
 	// Store a copy of the client certificate and private key in a PKCS#12

pkg/acceptance/cluster/dockercluster.go

@@ -31,6 +31,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/log/logflags"
@@ -451,7 +452,7 @@ func (l *DockerCluster) createNodeCerts() {
 	}
 	maybePanic(security.CreateNodePair(
 		certsDir,
-		filepath.Join(certsDir, security.EmbeddedCAKey),
+		filepath.Join(certsDir, certnames.EmbeddedCAKey),
 		keyLen, 48*time.Hour, true /* overwrite */, nodes))
 }
 
@@ -772,9 +773,9 @@ func (l *DockerCluster) PGUrl(ctx context.Context, i int) string {
 	certUser := username.RootUser
 	options := url.Values{}
 	options.Add("sslmode", "verify-full")
-	options.Add("sslcert", filepath.Join(certsDir, security.EmbeddedRootCert))
-	options.Add("sslkey", filepath.Join(certsDir, security.EmbeddedRootKey))
-	options.Add("sslrootcert", filepath.Join(certsDir, security.EmbeddedCACert))
+	options.Add("sslcert", filepath.Join(certsDir, certnames.EmbeddedRootCert))
+	options.Add("sslkey", filepath.Join(certsDir, certnames.EmbeddedRootKey))
+	options.Add("sslrootcert", filepath.Join(certsDir, certnames.EmbeddedCACert))
 	pgURL := url.URL{
 		Scheme:   "postgres",
 		User:     url.User(certUser),

pkg/cli/democluster/demo_cluster.go

@@ -1048,7 +1048,7 @@ This server is running at increased risk of memory-related failures.`,
 
 // generateCerts generates some temporary certificates for cockroach demo.
 func (demoCtx *Context) generateCerts(certsDir string) (err error) {
-	caKeyPath := filepath.Join(certsDir, security.EmbeddedCAKey)
+	caKeyPath := filepath.Join(certsDir, certnames.EmbeddedCAKey)
 	// Create a CA-Key.
 	if err := security.CreateCAPair(
 		certsDir,
@@ -1075,7 +1075,7 @@ func (demoCtx *Context) generateCerts(certsDir string) (err error) {
 	// rootUserScope contains the tenant IDs the root user is allowed to access.
 	rootUserScope := []roachpb.TenantID{roachpb.SystemTenantID}
 	if demoCtx.Multitenant {
-		tenantCAKeyPath := filepath.Join(certsDir, security.EmbeddedTenantCAKey)
+		tenantCAKeyPath := filepath.Join(certsDir, certnames.EmbeddedTenantCAKey)
 		// Create a CA key for the tenants.
 		if err := security.CreateTenantCAPair(
 			certsDir,

pkg/cli/testutils.go

@@ -31,7 +31,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/cli/clisqlexec"
 	"github.com/cockroachdb/cockroach/pkg/cli/exit"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/securitytest"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/server"
@@ -422,7 +422,7 @@ func (c TestCLI) RunWithCAArgs(origArgs []string) {
 	if err := func() error {
 		args := append([]string(nil), origArgs[:1]...)
 		if c.TestServer != nil {
-			args = append(args, fmt.Sprintf("--ca-key=%s", filepath.Join(c.certsDir, security.EmbeddedCAKey)))
+			args = append(args, fmt.Sprintf("--ca-key=%s", filepath.Join(c.certsDir, certnames.EmbeddedCAKey)))
 			args = append(args, fmt.Sprintf("--certs-dir=%s", c.certsDir))
 		}
 		args = append(args, origArgs[1:]...)

pkg/rpc/BUILD.bazel

@@ -95,6 +95,7 @@ go_test(
         "//pkg/keys",
         "//pkg/roachpb",
         "//pkg/security",
+        "//pkg/security/certnames",
         "//pkg/security/securityassets",
         "//pkg/security/securitytest",
         "//pkg/security/username",

pkg/rpc/tls_test.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
+	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/testutils"
@@ -56,7 +57,7 @@ func TestClientSSLSettings(t *testing.T) {
 		t.Run("", func(t *testing.T) {
 			cfg := &base.Config{Insecure: tc.insecure, User: tc.user}
 			if tc.hasCerts {
-				testutils.FillCerts(cfg)
+				cfg.SSLCertsDir = certnames.EmbeddedCertsDir
 			} else {
 				// We can't leave this empty because otherwise it refers to the cwd which
 				// always exists.
@@ -119,7 +120,7 @@ func TestServerSSLSettings(t *testing.T) {
 		t.Run("", func(t *testing.T) {
 			cfg := &base.Config{Insecure: tc.insecure, User: username.NodeUserName()}
 			if tc.hasCerts {
-				testutils.FillCerts(cfg)
+				cfg.SSLCertsDir = certnames.EmbeddedCertsDir
 			}
 			ctx := context.Background()
 			stopper := stop.NewStopper()

pkg/security/BUILD.bazel

@@ -75,6 +75,7 @@ go_test(
         "//pkg/base",
         "//pkg/roachpb",
         "//pkg/rpc",
+        "//pkg/security/certnames",
         "//pkg/security/securityassets",
         "//pkg/security/securitytest",
         "//pkg/security/username",

pkg/security/certificate_loader_test.go

@@ -26,6 +26,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/securityassets"
 	"github.com/cockroachdb/cockroach/pkg/security/securitytest"
 	"github.com/cockroachdb/cockroach/pkg/testutils"
@@ -91,12 +92,12 @@ func TestCertNomenclature(t *testing.T) {
 
 func TestLoadEmbeddedCerts(t *testing.T) {
 	defer leaktest.AfterTest(t)()
-	cl := security.NewCertificateLoader(security.EmbeddedCertsDir)
+	cl := security.NewCertificateLoader(certnames.EmbeddedCertsDir)
 	if err := cl.Load(); err != nil {
 		t.Error(err)
 	}
 
-	assets, err := securitytest.AssetReadDir(security.EmbeddedCertsDir)
+	assets, err := securitytest.AssetReadDir(certnames.EmbeddedCertsDir)
 	if err != nil {
 		t.Fatal(err)
 	}

pkg/security/certnames/BUILD.bazel

@@ -6,6 +6,7 @@ go_library(
     srcs = [
         "certnames.go",
         "doc.go",
+        "embedded.go",
         "locator.go",
     ],
     importpath = "github.com/cockroachdb/cockroach/pkg/security/certnames",

pkg/security/certnames/embedded.go

@@ -0,0 +1,35 @@
+// Copyright 2022 The Cockroach Authors.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0, included in the file
+// licenses/APL.txt.
+
+package certnames
+
+// EmbeddedCertsDir is the certs directory inside embedded assets.
+// Embedded*{Cert,Key} are the filenames for embedded certs.
+const (
+	EmbeddedCertsDir     = "test_certs"
+	EmbeddedCACert       = "ca.crt"
+	EmbeddedCAKey        = "ca.key"
+	EmbeddedClientCACert = "ca-client.crt"
+	EmbeddedClientCAKey  = "ca-client.key"
+	EmbeddedUICACert     = "ca-ui.crt"
+	EmbeddedUICAKey      = "ca-ui.key"
+	EmbeddedNodeCert     = "node.crt"
+	EmbeddedNodeKey      = "node.key"
+	EmbeddedRootCert     = "client.root.crt"
+	EmbeddedRootKey      = "client.root.key"
+	EmbeddedTestUserCert = "client.testuser.crt"
+	EmbeddedTestUserKey  = "client.testuser.key"
+)
+
+// Embedded certificates specific to multi-tenancy testing.
+const (
+	EmbeddedTenantCACert = "ca-client-tenant.crt" // CA for client connections
+	EmbeddedTenantCAKey  = "ca-client-tenant.key" // CA for client connections
+)

pkg/security/certs_rotation_test.go

@@ -30,6 +30,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/rpc"
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/securityassets"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/testutils"
@@ -89,7 +90,7 @@ func TestRotateCerts(t *testing.T) {
 
 	// Create a client by calling sql.Open which loads the certificates but do not use it yet.
 	createTestClient := func() *gosql.DB {
-		pgUrl := makeSecurePGUrl(s.ServingSQLAddr(), username.RootUser, certsDir, security.EmbeddedCACert, security.EmbeddedRootCert, security.EmbeddedRootKey)
+		pgUrl := makeSecurePGUrl(s.ServingSQLAddr(), username.RootUser, certsDir, certnames.EmbeddedCACert, certnames.EmbeddedRootCert, certnames.EmbeddedRootKey)
 		goDB, err := gosql.Open("postgres", pgUrl)
 		if err != nil {
 			t.Fatal(err)
@@ -233,7 +234,7 @@ func TestRotateCerts(t *testing.T) {
 	// Now regenerate certs, but keep the CA cert around.
 	// We still need to delete the key.
 	// New clients with certs will fail with bad certificate (CA not yet loaded).
-	if err := os.Remove(filepath.Join(certsDir, security.EmbeddedCAKey)); err != nil {
+	if err := os.Remove(filepath.Join(certsDir, certnames.EmbeddedCAKey)); err != nil {
 		t.Fatal(err)
 	}
 	if err := generateBaseCerts(certsDir); err != nil {

pkg/security/certs_tenant_test.go

@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/securityassets"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
 	"github.com/stretchr/testify/require"
@@ -96,7 +97,7 @@ func testTenantCertificatesInner(t *testing.T, embedded bool) {
 		tenant = uint64(rand.Int63())
 		certsDir = makeTenantCerts(t, tenant)
 	} else {
-		certsDir = security.EmbeddedCertsDir
+		certsDir = certnames.EmbeddedCertsDir
 		tenant = security.EmbeddedTenantIDs()[0]
 	}